Some
Android users have found themselves the victim of perhaps the first
full-fledged Trojan to hit the system. Our story on
the trojan yesterday drew a great deal of attention, so we decided to
dig into this one a bit deeper.

A reader -- Jon Oberheimer --
founder of security startup Scio
Security and Ph.D candidate at the University of Michigan,
writes us that he obtained the dreaded Android trojan, disassembled
it, and posted an
analysis in gory detail.

From his results it's readily
apparent that the effort is amateurish, but slightly clever.
The program bears a great deal of similarity to the "HelloWorld"
tutorial hosted by Google for aspiring developers. It even
prints a string "Hello Android from NetBeans".

When
the MoviePlayer activity of the app fires up, it triggers the app's
onCreate event. This event checks an SQLite database with a
single table and column to see if a string "was" was
previously written. Here comes the (sort
of)
clever part -- on the malware's first run, after accomplishing its
ill objectives it writes the string to the database. That way
on subsequent runs, the string is detected and the program merely
exits without continuing the attack. By doing as such, it's
able to keep a low profile and its evil actions might escape
notice.

Returning to the actions themselves, assuming it's the
first time the app has been run, the app tries to broadcast an SMS
text message to premium Russian text numbers -- "3353" and
"3354" with a numeric message. Meanwhile it displays
to the user Russian text that translates to "Wait, seeking
access to video library..."

What's more, as Mr.
Oberheimer aptly points out, the premium texts should only go through
in Russia. U.S. users likely won't incur toll charges from the
attack. Of course similar trojans could
be
employed in the U.S. in the near future, so beware.

Also, the
user has to physically download, install, and approve the permissions
on the app. This much relies on the Russian tricksters
advertising the app as a "media player". A number of
people (in Russia) reportedly did fall
for this, completing these steps. The final step is that the
users have to open (run) the application. Again, a number of
users apparently fell for this.

Basically the only mistake
Google made in this case, in terms of security, was overestimating
users' ability to handle their own security policies. Most
Android users are in the U.S. and China (less than 1 percent are in
Russia), so fortunately in this case a minimal number of people
appear to have been affected by their membership in
the security-ignorant
masses.

From this information, it's clear that the threat
to savvy American users (or international ones) is minimal.
Just be sure not to install strange apps. And if you suspect
that an app may not be what it purports to be, notify Google and your
carrier immediately, so you can be refunded in the case of malicious
activity.

Android isn't the only platform to be hit by similar
schemes. Owners of jailbroken iPhones have been hit by worms in
the past -- some mere
pranks, others malicious.

Thanks,
Jon for the email about your analysis!

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer